<<< Date Index >>>     <<< Thread Index >>>

RE: security enforcement - new monitor for winnt



        Liu Die Yu, are you sure you don't want to be calling _snprintf
here? ;) And since CreateFileW can be called with a 32,767 byte file name,
I'm not sure what'll happen when you stuff it into a 200 byte buffer when
it's converted to multi-byte... Call me crazy, but I'd be a little hesitant
to run this in a production environment (even though it's at version 6.0)

        Microsoft doesn't have a monopoly on buggy code with B0fs in it. ;)

        This is a good idea though, hooking is neat. I'm not so sure I'd say
it's unprecedented. Using AppInit_DLLs to load a hook DLL is a pretty common
trick. Still, a nice hack.

.text:10001AEB ; int __stdcall My_CreateFileW(LPCWSTR
lpWideCharStr,int,int,int,int,int,int)
.text:10001AEB                 public My_CreateFileW
.text:10001AEB My_CreateFileW  proc near               ; DATA XREF:
DllMain(x,x,x)+47o
.text:10001AEB                                         ; DllMain(x,x,x)+75o
.text:10001AEB 
.text:10001AEB var_CD0         = byte ptr -0CD0h
.text:10001AEB var_8D0         = dword ptr -8D0h
.text:10001AEB var_8CC         = dword ptr -8CCh
.text:10001AEB MultiByteStr    = byte ptr -8C8h
.text:10001AEB Text            = byte ptr -800h
.text:10001AEB lpWideCharStr   = dword ptr  8
.text:10001AEB arg_4           = dword ptr  0Ch
.text:10001AEB arg_8           = dword ptr  10h
.text:10001AEB arg_C           = dword ptr  14h
.text:10001AEB arg_10          = dword ptr  18h
.text:10001AEB arg_14          = dword ptr  1Ch
.text:10001AEB arg_18          = dword ptr  20h
.text:10001AEB 
.text:10001AEB                 push    ebp
.text:10001AEC                 mov     ebp, esp
.text:10001AEE                 sub     esp, 0CD0h
.text:10001AF4                 mov     [ebp+var_8D0], 0
.text:10001AFE                 call    sub_100012EF    ; _reg
.text:10001B03                 test    eax, eax
.text:10001B05                 jnz     loc_10001C42
.text:10001B0B                 lea     eax, [ebp+var_CD0]
.text:10001B11                 push    eax
.text:10001B12                 mov     ecx, [ebp+arg_4]
.text:10001B15                 push    ecx
.text:10001B16                 call    sub_10001383
.text:10001B1B                 push    0               ; lpUsedDefaultChar
.text:10001B1D                 push    0               ; lpDefaultChar
.text:10001B1F                 push    0C8h            ; cchMultiByte
.text:10001B24                 lea     edx, [ebp+MultiByteStr]
.text:10001B2A                 push    edx             ; lpMultiByteStr
.text:10001B2B                 push    0FFFFFFFFh      ; cchWideChar
.text:10001B2D                 mov     eax, [ebp+lpWideCharStr]
.text:10001B30                 push    eax             ; lpWideCharStr
.text:10001B31                 push    0               ; dwFlags
.text:10001B33                 push    0               ; CodePage
.text:10001B35                 call    ds:WideCharToMultiByte
.text:10001B3B                 mov     [ebp+Text], 0
.text:10001B42                 lea     ecx, [ebp+MultiByteStr]
.text:10001B48                 push    ecx
.text:10001B49                 lea     edx, [ebp+var_CD0]
.text:10001B4F                 push    edx
.text:10001B50                 call    ds:GetCommandLineA
.text:10001B56                 push    eax
.text:10001B57                 call    sub_100010C9
.text:10001B5C                 push    eax
.text:10001B5D                 push    offset aCreatefileSSSS ;
"CreateFile:%s > %s ==> %s --> %s"
.text:10001B62                 lea     eax, [ebp+Text]
.text:10001B68                 push    eax
.text:10001B69                 call    _sprintf
.text:10001B6E                 add     esp, 18h
.text:10001B71                 mov     [ebp+var_8D0], 0
.text:10001B7B                 jmp     short loc_10001B8C

Cheers,
~x


> -----Original Message-----
> From: Liu Die Yu [mailto:liudieyuinchina@xxxxxxxxxxxx] 
> Sent: March 29, 2004 11:35 PM
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: security enforcement - new monitor for winnt
> 
> 
> 
> 
> i want to stop ie:
> 
> writing EXE/CAB/LNK ... files,
> 
> calling MSHTA.EXE to parse remote web pages,
> 
> accessing files outside "favorites" and cache("content.ie5").
> 
> 
> 
> i want to stop WSCRIPT.EXE from parsing files inside TEMP and cache.
> 
> 
> 
> i want to stop the system running executable files located in 
> TEMP and cache.
> 
> 
> 
> afaik, i can stop ie 0day exploits by doing these things.
> 
> 
> 
> so, i made this:
> 
http://umbrella.name/winblox/

of course, free. and you can define your own rules easily(assuming you guys
know a bit about regular expression).



it's totally a new idea(afaik). so, not for operational uses. 

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004
 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.605 / Virus Database: 385 - Release Date: 01/03/2004